This month the device we have is so amazing we aren't allowed to
put pictures of it. It is a Professional Grade RF Audio Bug with
approx: 900 -1000 Feet Wireless Transmission.

This device is the best on the market and has amazing clarity
and range. Truly it is remarkable. I am working now on getting
some videos made to demo the usage of this device.

Spy Associates
says this is a very secretive device and they can't have it adverstised so if
you think you are interested in this amazing device you need to contact
Jeff directly and tell him you heard about it on our podcast and
newsletter.

You have to check out the link above and see what else Spy
Associates has to offer. They have been an amazing sponsor and really
have some of best social engineering/spy gear on the market. This can be a
great addition to the tool set of professional SE's.

There is more to come, but till then make sure to check out Spy Associates for the latest
and greatest Social Engineering Tools out there.

Our podcast...wow - last month literally broke some records or
something. Thank you for the support. Another shout out to the
EFF.

This month is just as amazing. One of the leading
professionals on earth in the subject of human influence is our guest.
You will not want to miss this amazing podcast.

If you want to listen to our past podcasts hit up our Podcasts Page and
download the past epidsodes.

What else? We are being featured along with Offensive
Security in the Securabit Podcast this month. Shout out to those
awesome guys. Be sure to check us out.

......

Social Engineering for the
Rest of Us: Protection for Humans

Social Engineering attacks can be devastating. They are so
effective, that they make up the basis of many modern attacks, and
according
to McAfee, 46% of browser attacks were directed toward PDFs. This is
of course a combination of weak security in Adobe’s Code, as demonstrated by Logan’s
video, but it also carries with it the implicit notion that the
target has to open the pdf. This means SE tactics will be required.

Phishing attacks are another example of widespread social
engineering attacks that we have seen for years yet are still hitting hard
and heavy. The fact they are still happening so much just means that people
still fall for them regardless of numerous warnings.

Take these traditional attack vectors and combine them with the
widespread adoption of “social media” sites by the mainstream public, and
times are great for attackers. More and more the general public is entering
into areas that increase their exposure to social engineering attacks, and
they are just not ready for it. Traditional advice for these users, while
well intentioned, is just not resonating with them. This has been explained
quite well in the paper “So
Long, And No Thanks for the Externalities: The Rational Rejection of Security
Advice by Users” from Microsoft Research. The question becomes: What
advice can we give non-technical people that will help protect them from
Social Engineering based attacks?

Last week I was given the opportunity to speak with a community
group about this topic. This was a great chance for me to interact with a
segment of this user base and see what problems they are facing, what
concerns they have. By no means do I think that they are representative of
users everywhere, but it was a start.

After working with them, I walked away with a few concepts I
tried to boil down to ten of the most basic, foundational, items that
everyone needs to know The following list is written to help non-technical
people, but really all in the community can benefit from the information it
contains.

1. Common sense you use in day-to-day life applies online
as well.
Stop thinking about Online and Offline as separate “places” with a different
set of rules. People will still try to take advantage of you, make fun of
you, cliques will develop, and reputations matter. There are so many areas
that people are “online” with as well, that the omnipresence of it has made
it as such that it is here all the time. Cell phones alone have put is there,
not to mention video game systems and even televisions that are going online.

The primary difference between the two is that the online world makes it
easier for a single person to pretend to be multiple people. The base concept
still applies even in that situation: don’t just assume people are who they
say they are. Its true in real life as it is online.

2. The Internet is not evil.
Despite all the negative things you hear on the news, the Internet is not a
bad place. More people pay attention to negative stories, which sells more
advertising. Just like real life, there are very bad places, real sewers, off
the Internet that all the waste and refuse go. If you don’t like that sort of
thing, don’t go there.

More than anything else, the Internet is a tool that provides
amplification. The same actions, interactions, and content can be found
online or offline. However in all cases these actions, interactions and
content become louder if it is online. There are a multitude of reasons for
this that include the one to many contacts which can be made to the
permanence of any action taken online. The reasons don’t matter; just know
that something that happens on the Internet is going to be “louder”.

3. You can’t buy your way to safety.
There is no product that can be bought which will do everything that needs to
be done to protect you. This just is not possible. Many people I interact
with think that because they run antivirus, or use a Mac, or they run Linux,
that they are safe. Nothing is a better defender than an educated target.

In fact there is a strong argument some make that states too
much reliance on software such as anti-virus encourages people to engage in
unsafe behavior. When people think that they are protected from malicious
code by a quality
anti-virus product they are more likely to download and run unknown
software. We all know how effective that is. This aspect of human behavior
where a consistent risk level is maintained in the face of imposed safeguards
is the basis of risk compensation
theory.

4. Don’t be scared.
Too many people that are new to technology are scared of it. It does not help
that “computers” have obtained such a reputation over the years of being
problematic to operate and fall apart at a moment’s notice. When an
inexperienced person first starts using a computer they are scared that they
will “break” it if they make one wrong move. However, those that always have
technology around find it mundane and there is nothing scary about it. I
learned years ago when I used to work for a non-profit whose mission was
teaching senior citizens how to use computers and the Internet, that age is
not a factor. Its fear, and a preconceived notion of “I can’t do it.”

This fear drives much decision-making, putting many in
situations where they “spend” on the wrong problems. Everyone has a limited
amount of time and energy to put into online safety issues, so it is
important that what effort that will be put out gets put where it matters
most. Deciding where it matters most is not something that can be done
without being familiar with the problem set. Give up the fear, and jump in.
Where possible, deal with root causes of issues and not symptoms. Spend
energy on the highest impact locations, and accept the fact you will never be
100% protected.

5. Be aware of behavior modeling.
Behavior modeling is extremely important. In any given situation, people will
look
to those around them to see how they should be dealing with a
situation. A great example of this is Twitter.
When you initially sign up for an account the first thing that Twitter
presents to you is other users they suggest you follow. They don’t do this
because they love the people they are suggesting, but rather they want you to
look at these accounts to see how people use Twitter. Another example of this
is Apple with the release of the iPad. Upon release
of this new class of computing device, Apple presented users with a large
number of videos for users to watch and see how to use this device.

It’s important to also ask yourself, who models their behavior
off of you? If you are a parent with kids using Twitter or Facebook, are they
modeling their behavior on those networks off of you? Or is that not possible
because you are not using those services? If they don’t model their behavior
off of you, then whom are they modeling it off of? And are you comfortable
with that selection?

6. Assume everything you do on a social network is public.
Accounts will be compromised, privacy settings will be used incorrectly or
changed, and friends will pass along what is supposed to be private
communications. This is all going to happen. So regardless of what social
network you are using and how you have configured the settings, assume
everything you place up there can be seen by everyone. If you are not
comfortable with the creepy guy at the bus stop looking at it, that’s a good
indicator it should not be online.

7. If you don’t respect your privacy, no one else will
either.
Privacy is a funny thing as some people guard it tightly, while others see no
value in it at all. Many people will post up a multitude of information
without realizing how it can all be accumulated to become the foundation of a
very solid
social engineering attack. There is a reason that so many companies
will spend so much money organizing and storing data about you. Information
has value, so understand what can happen when you just give it away.

Much emphasis in recent years has been put on credit ratings.
Your online reputation is just as important. Personally, I have Googled
everyone that I have ever interviewed before the interview. For right and for
wrong, what I have found has either made me more excited to speak to the
applicant or decide not to bring them in at all. You have to understand that
this is happening all the time, for many different reasons. If you have no
respect for your privacy and online reputation, it will affect you. This is
one reason why some behaviors such as sexting can be so devastating. Content
that is placed online can not be removed, so any sort of embarrassing content
will stay around for far longer then was ever intended

8. You can lie.
Nothing is forcing you to tell the truth online. And this can be used both
for and against you. Expect that much of what you receive is false. E-mails
will lie about where they are from and where they are sending you when you
click on links. Sites will lie about what they are for, or about how secure
they will keep your information. People will lie to you about who they really
are. Don’t accept something as fact without verification. For instance, if
you get a friend request don’t just accept it without talking face to face or
on the phone with the requestor and verifying that they actually sent it.

On the flip side, you can lie as well. If a site is asking for
information from you, and there is no reason for them to have it, either
leave it blank or make something up. Does a site really need your
birthday? Do they really need to know your relationship status? Your annual
income? Your address? Take a moment to think critically about what sites are
requesting of you and if there is any good reason to provide it. If there is
not and they insist on some value being entered, make
something up.

9. There is no such thing as free.
No website is online just to provide you value. I think this was summed up in
a post by Joey Tyson which I will quote:
As Bruce Schneier notes in an excellent video presentation, however, you and
I are not Facebook and Google’s customers. We are their products. They sell
information about us, and hence they have a business interest in us sharing
more information with more people.”
This is very true, and a point that many people don’t see. In many respects,
most of us live in a state
of symbiosis with many services such as Google. They provide a
service for us which we find very useful, and in return we provide them with
information about ourselves which they can then profit off of. This is not
inherently negative, but it is something to keep in mind before using any
service or software. Always ask yourself: What are they getting out of this?

10. Expect problems.
If you live in a city, eventually you will have a neighbor that gives you
problems. When you do, it can be upsetting and put a strain on your life, but
it’s not that surprising. That’s because we know and are expecting
problems at some point. This same expectation is not as wide spread when it
comes to problems online. But they will happen, you will have problems, and
you have to know how to deal with them.

In recommending protective measures, we have to be respectful of
people’s time and knowledge. We can’t expect them to become experts in order
to be safe online, that’s just not reasonable. This list is a starting point
in trying to answer the questions of: What rules does everyone need to know
when he or she goes online? What defenses do we need to ensure that everyone
has? We would love your input on this, so we can continue to improve and
validate this list.

Feel free to put this in front of those you think might need it.
In your business, at your school, or perhaps even in your family. If you have
anything of value, someone is going to want to take it from you. Everyone
could use some additional defense.

Jim O'Gorman - A chief contributor for social-engineer.org
and consultant for Continuum
Worldwide

Oxytocin the
"Trust" Hormone

Most modern social-engineering (SE) techniques are used to
analyze observable facets of human behavior and social interactions, but when
it comes to bio-chemistry the field is wide open. While various crude
pharmaceutical means can be used to provide a leg up in applied
social-engineering efforts few if any appear to offer the promise of a simple
hormone naturally produced by the human body.

Enter Oxytocin. Oxytocin is a hormone that acts as a
neuropeptide (Neuropeptides are small protein-like molecules used by neurons
to communicate with each other) in mammalian species which holds promise for
a multitude of uses including treatments for diseases, behavioral disorders
and of course, soft target manipulation - aka social engineering.

First synthesized in 1953 by Nobel Prize winner Vincent
du Vigneaud, Oxytocin was initially developed and later marketed as a
medication to treat postpartum hemorrhages and to reduce the occurrence of
premature birth in human and veterinary subjects. The drugs that
contain the hormone are typically delivered via injection or by use of a
nasal spray rather than via ingestion as they are broken down without
significant absorption into the blood stream by the digestive system.
Other direct applications include studies for the treatments of social
bonding in autistic children and treatments of postpartum depression.
The neuropeptide is theorized to be produced by neurons for uptake into
receptors. It is released in large doses by cert illicit drugs
including 3,4-Methylenedi!
oxymethamphetamine (ecstasy) which is believed to be the cause of the
drug's feelings of empathy and closeness to others. In addition to uses
in maternity studies concerning its efficacy in the formation of trust
relationships between peers has also been raised.

Beginning with studies in rats in the late 1980s and leading
ultimately to a study in 2005 concerning the effects of Oxytocin on new trust
relationships and reduction of apprehension towards peers provides evidence
that it has a profound influence in this arena. The primary human study
on this subject utilized an "investor dilemma" trust experiment in
a double-blind study with 128 participants as well as a risk experiment
consisting of 66 participants used as a control group. The study showed
that in the group given a dose via nasal spray of Oxytocin in the trust
experiment had a mean average of 15.6% greater chance of investing in a trust
relationship where those without potential gain in the risk group showed no
statistically significant increase in their willingness to grant trust to
another. What this study indicates is that when an opportunity for
monetary gain was presented to a person under the influe! nce of the hormone
as opposed to the placebo they had a greater chance of investing that trust
in the other party, but in the cases where no gain could be garnered from
giving away their money they did not wish to do so. An additional study
designed to measure the duration of oxyticin levels in the bloodstream after
being administered showed that the drug has a relatively short
half-life of 1-6 minutes, which as the 2005 study on trust also noted
points to the fact the effect of the synthetic drug is very short-lived.

Knowing the results of these studies may not on the surface
provide for any significant effect on the social-engineering techniques that
you employ, but there is but more to this hormone other than simple trust
experiments using nasal sprays and illicit drugs. The naturally
occurring formation of Oxycontin varies in the adult human brain due to established
factors that are related to the levels of regular sleep a person
experiences and the duration of sustained stress levels that they
experience. In a 2009 study it was shown that individuals that were
under raised psychological stress levels for periods of several days or more
had reduced levels of of Oxytocin in their systems and showed signs of
increased distrust and hopelessness as compared to those that had not been
under these circumstances. Additionally the study showed that people
that had been in reduced stress situations that involved increase! d levels
of natural sleep had increased levels from the median average. When
this information is taken into account some interesting attack vectors become
relevant if some additional research is performed.

Using some basic information gathering techniques, such as
including checking social media updates for activity times when sleep would
otherwise be occurring, notices of vacation or extended work-hours or
personal relationship conflicts can all be indicators as to which parties
might be more apt for forming the kind of trust relationship a
social-engineer is looking for. Otherwise it could point out parties
that you may want to avoid or that you might otherwise approach as an attack
vector when other opportunities present themselves. These guidelines
may give a social engineer the edge they need to succeed where they
might otherwise fail in an engagement or at least give them greater
confidence that their target is susceptible to trust based manipulation.

There are certain websites that offer the sales of "Liquid Trust", which is a
spray on version of Oxytocin. The claim is that by using this as a
perfume you can instantly build trust with those around you. Whether this
works or not, we are unsure, but for $50 it might be worth checking out the
claims.

Until a better delivery mechanism arrives for artificially
produced oxytocin it is likely not a reliable tool for use in SE attacks, but
knowing how it is produced naturally and using the queues about its
production may be just as important to a talented social-engineer. In
order to best apply this knowledge towards this end a social engineer must
work hard to build a trust relationship using techniques that could
allow for disclosure of sensitive information. Additionally the person
could have a greater willingness to preform minor tasks for the social
engineer including plugging in a usb key to retrieve some information from it
or to allow them access to sensitive areas when posing as service personnel
requiring such access to complete a task. Trust relationships in these
situations prove crucial to an effective compromise to the human barriers
that would otherwise complicate an engagement.